Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-042)
What's this bulletin about?
This bulletin announces the availability of a patch that eliminates a vulnerability in Microsoft® Internet Explorer. The vulnerability could allow a malicious web site operator to read files on the computer of a visiting user. Microsoft takes security seriously, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
Why was this bulletin re-released?
When this issue was discovered on October 11, 1999, we released this bulletin to advise customers of a workaround that they could use to protect themselves against this vulnerability. On October 15, 1999, we delivered a patch that eliminated the vulnerability, and updated the bulletin accordingly.
On October 29, 1999, we learned that the patch had caused a regression error. While the patch did correct the vulnerability at hand, it caused an older vulnerability to be re-exposed for IE 5 users. We have corrected the IE 5 patch, tested it thoroughly, and are re-releasing this bulletin to announce its availability.
I installed the original version of the patch. What should I do?
| • | If you are an IE 4 user and previously applied the fix for this vulnerability, you do not need to do anything. |
| • | If you are an IE 5 user and previously applied the fix for this vulnerability, you need to apply the updated fix. Information on where to obtain the fix is provided in the "Patch Availability" section of the bulletin. |
Does the regression change Microsoft's assessment of the vulnerability?
No. The regression error was completely unrelated to the vulnerability. All of the information regarding the vulnerability is unchanged from our original assessment.
What's the scope of the vulnerability?
The vulnerability could allow a malicious web site operator to read files on a visiting user's computer, but only if he or she already knew the name of the file and the folder in which it resides. Even then, the malicious user could not add, delete or change files on the user's computer, nor could he or she cause any other action to be taken on the computer.
What is the vulnerability?
Internet Explorer restricts what actions a web site can take on the computer of a visiting user. When software on the web server requests that particular action be taken on a visiting computer, IE examines it and only allows the request to be made if it's appropriate. However, not all of the checks are present if the requesting software lies within an IFRAME. Specifically, certain requests that are made via a scripting method called ExecCommand() are not properly bounded if invoked on an IFRAME.
What's an IFRAME?
An IFRAME is a sub-window of the main browser window. From the perspective of the software that runs in it, an IFRAME is its own window and can operate independently of the window that contains it. This vulnerability has nothing to do with IFRAMEs per se; it results only because some of the normal security checks are not present within IFRAMEs.
What versions of Internet Explorer are affected?
Versions of Internet Explorer 4.01 prior to Service Pack 2 are affected by this vulnerability, as is Internet Explorer 5. No other versions are affected.
What does the patch do?
The patch makes IFRAMEs subject to the same security checks as other browser windows. In addition, the IE5 patch also includes a fix for the "Download Behavior" security vulnerability.
Why did you include the patch for the "Download Behavior" vulnerability in the IE5 patch for this vulnerability?
We combined the two patches in order to make it more convenient for customers to be fully protected against all known vulnerabilities.
Why isn't the patch for the "Download Behavior" vulnerability included in the IE 4.01 patch?
The "Download Behavior" vulnerability doesn't affect IE 4.01
Once I've installed the patch, can I re-enable Active Scripting in the Internet Zone?
Yes. However, we recommend that you continue to use the Security Zones features of IE to manage the actions you let web sites take, as discussed below. Here's how to re-enable Active Scripting in the Internet Zone:
| • | Select "Tools," then "Internet Options." Click the "Security" tab. |
| • | In the box labeled "Select a Web content zone to specify its current security settings," click "Internet," then click "Custom level." |
| • | Scroll down until you see a major heading labeled "Scripting," then find the minor heading marked "Active Scripting." Click the "enabled" button under "Active Scripting." |
| • | Click on OK twice to accept the changes and return to IE. |
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I verify that I installed the patch correctly?
Knowledge Base article 243638 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What are Security Zones?
Security zones are an important security tool. They let you group web sites based on how much you trust them. Once you've done this, you can give more freedom to trusted sites, and impose restrictions on untrusted ones. This lets you get the best of both worlds - a great web experience on sites that you trust, and tight security on ones that you don't.
How do Security Zones work?
IE enables you to categorize web sites into four different "zones".
| • | The Internet Zone - all Internet web sites are categorized here by default. |
| • | The Local Intranet Zone - All web sites that are local to your organization are categorized here by default. |
| • | The Trusted Zone - This zone contains all sites you have explicitly said you trust not to take malicious action. |
| • | The Restricted Zone - This zone contains all the sites you have explicitly said you do not trust. |
Each zone has its own set of allowed and disallowed actions, and you can customize them as you like. For instance, you could configure the Internet Zone so that ActiveX controls could only be run if they've been digitally signed by someone you trust. Likewise, you could configure the Trusted Zone so that sites there could use any ActiveX controls, whether signed or not.
Isn't it a lot of work to manage Security Zones?
Not really. Most users have a core group of web sites that they visit frequently. If you trust these sites, just add them to the Trusted Zone. All other sites are automatically included in the Internet Zone, so you can restrict what they can do by changing the Internet Zone configuration settings.
How do I add sites to the Trusted Zone?
Just follow these steps:
| • | Select "Tools," then "Internet Options." Click the "Security" tab. |
| • | In the box labeled "Select a Web content zone to specify its current security settings," click "Trusted Sites," then click "Sites." |
| • | If you want to add sites that don't require a secure connection, de-select the checkbox at the bottom that says "Require server verification (https:) for all sites in this zone." |
| • | In the box labeled "Add this Web Site to the zone:," type the URL of a site that you trust, then click the "Add" button. Repeat for each site that you want to add to the zone. |
| • | Click on OK twice to accept the changes and return to IE. |
What sites should I add to the Trusted Zone?
Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is http://windowsupdate.microsoft.com. This is the site that hosts upgrades for Windows, including any security patches.
What is Microsoft doing about this issue?
| • | Microsoft has developed a patch that will eliminate the vulnerability. |
| • | Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability. |
| • | Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins. |
| • | Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail. |
Where can I learn more about best practices for security?
The Microsoft Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
